Cabbages decided no patch needed

Microsoft has admitted that it was first aware of bugs in its Jet Database Engine way back in 2005, but decided not to patch the problems because the software giant thought it had blocked the attack vectors.

Mike Reavey, a member of the firm’s security team, said on a blog post late Monday that Microsoft had been told by independent researchers about two separate issues in Jet database files, which use the file extension .mdb, in 2005 and 2007.

The firm, perhaps somewhat naively, decided at the time not to issue a security bulletin to its customers. It didn’t disclose the information because .mdb files are already on the unsafe file type list, are blocked from being opened on Outlook and are usually removed from incoming email by Exchange.

Or, as Reavey puts it: “Any attempt to attack customers using these issues was heavily mitigated by the blocking.”

Sadly for Microsoft, attackers have worked out how to circumnavigate Outlook's automatic block by loading an .mdb file through a Word document. Reavey explains in his post that the security flaw could occur when a person saves two .doc files and opens one of them.

“So that’s why we alerted customers to these attacks and are re-investigating Jet parsing flaws," said Reavey. "This is a new attack vector discovered that we didn’t know about previously."

But, despite the fact that hackers have found a way of planting malicious code in .mdb files via Microsoft’s Word application, the company’s security team is still working out whether or not to patch the vulnerability.

One option could be to put up more barriers instead, such as blocking Word from automatically loading .mdb files. The team is also considering replacing the edition of Jet in Windows 2000, XP and Server 2003 SP1 with a newer version, which is already built into Vista and Server 2003 SP2.

Reavey said that .mdb files will “always present attackers an opportunity to run code” and for that reason files for Jet Database Engine, which is a Windows component that provides data access to apps including Access and Visual Basic, will remain on the unsafe file type list.

He added that while the team continues to scratch their heads over the security flaw, customers should never automatically open a .mdb file “received unexpectedly”. ®